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IT  service  provider  organizations  that  have  implemented  a  Quality  Management  System  (QMS)  according  to  ISO 
9001  can  take  advantage  of  all  the  efforts  made  when  implementing  an  IT  Service  Management  System  (ITSMS). 
In  order  to  facilitate  the  integration  of  these  two  management  systems,  we  analyze  the  existing  relations 
between  the  requirements  of  the  QMS  and  the  ITSMS.  Based  on  these  results,  we  provide  a  new  Integrated 
Management  System  (IMS)  which  widens  the  scope  of  the  ISO  9001  QMS  with  the  specific  IT  service  manage¬ 
ment  requirements  of  ISO/IEC  20000-1,  and  present  a  guide  to  support  organizations  in  implementing  this  IMS. 
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1.  Introduction 

From  the  mid-nineties,  many  organizations  in  the  Information 
Technology  (IT)  sector  have  shown  their  interest  in  deploying  best 
practices  for  implementing  and  managing  the  services  provided  [1-3]. 
IT  service  provider  organizations  have  opted  for  the  implementation 
of  standards  to  prove  their  ability  to  provide  products  that  meet 
customer  needs  and  increase  their  satisfaction.  One  of  the  generic  stan¬ 
dards  most  implemented  is  ISO  9001  [4],  which  defines  a  Quality 
Management  System  (QMS)  that  ensures  the  effectiveness  and  reliability 
of  business  processes  of  the  organization.  Moreover,  different  manage¬ 
ment  systems  standards  to  improve  processes  of  specific  knowledge 
areas  have  appeared  during  the  last  years  (such  as  ITIL  [5]  and  ISO/IEC 
20000-1  [6]  for  IT  service  management,  ISO/IEC  27001  [7]  for  information 
security  management  or  COBIT  [8]  and  SAS  70  [9]  for  the  governance  and 
auditing  of  enterprise  IT). 

Due  to  this  recent  proliferation  of  function-specific  management 
systems  and  related  standards,  a  need  has  emerged  to  somehow  inte¬ 
grate  them  into  one  holistic  Integrated  Management  System  (IMS)  that 
addresses  various  stakeholder  requirements  in  an  integrated  manner  in 
order  to  reduce  wasteful  redundancies  and  possibly  generate  synergy 
effects  [10-12],  Some  attempts  have  been  made  to  integrate  manage¬ 
ment  standards,  prevent  the  accumulation  of  management  systems 
become  a  burden,  and  find  the  elusive  “business  management  system" 
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that  can  serve  as  a  common  denominator  for  integrating  all  management 
standards  within  an  organization  [13],  However,  the  dynamics  of  the 
integration  process  are  not  yet  fully  understood  and  new  research  has 
yet  to  establish  how  the  integration  of  management  systems  gives  rise 
to  various  types  of  organizational  improvements  [11]. 

The  idea  of  integrating  best  practices  from  different  standards  and 
management  systems  has  been  the  subject  of  many  studies  in  recent 
years  [14-16],  There  is  no  single  valid  definition  for  the  term  IMS.  In 
many  cases,  the  interpretation  varies  depending  on  the  organization 
or  the  type  of  integration.  Karapetrovic  defines  an  IMS  as  a  composite 
of  interdependent  processes  that  operate  harmoniously,  share  the 
same  pool  of  human,  material,  information,  infrastructure  and  financial 
resources,  and  are  all  aimed  toward  the  fulfillment  of  set  goals  [17], 
Griffith  and  Bhutto  define  IMS  as  the  single  management  system  that 
delivers  the  processes  of  the  business  through  modular  and  mutually 
supporting  structured  management  functions  configured  around  the 
wider  needs  of  the  organization  [18],  For  Pojasek,  an  IMS  is  one  that 
combines  management  systems  using  an  employee  focus,  a  process 
view,  and  a  systems  approach  [13],  Bernardo  et  al.  summarize  integra¬ 
tion  as  a  process  of  linking  different  standardized  management  systems 
into  a  unique  management  system  with  common  resources  aiming  to 
improve  stakeholders'  satisfaction  [19]. 

During  the  last  decade,  the  demand  for  the  integration  of  manage¬ 
ment  systems  was  focused  on  the  areas  of  quality,  environmental  and 
occupational  health  and  safety.  Several  studies  identifying  the  similari¬ 
ties  among  the  ISO  9001,  ISO  14001  and  OHSAS  18001  management 
systems  standards  and  the  advantages  of  an  integrated  implementation 
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of  them  in  organizations  were  published  [17,20-24].  Moreover,  differ¬ 
ent  research  projects  aiming  to  implement  an  IMS  according  to  these 
standards  have  been  carried  out  in  several  countries:  Austria  [25], 
China  [26],  Italy  [27],  Spain  [28]  and  the  United  Kingdom  [18], 

In  this  paper  we  focus  on  the  integration  of  IT  Service  Management 
Systems  (ITSMS)  standards.  Nowadays,  the  standard  most  commonly 
used  for  establishing  an  ITSMS  is  ISO/1EC  20000-1 :201 1,  which  provides 
a  full  set  of  service  management  system  requirements  according  to  ITIL 
best  practices.  The  service  organizations  which  already  have  imple¬ 
mented  an  ISO  9001 :2008  QMS  and  that  are  interested  in  implementing 
an  ITSMS  can  reuse  previous  experiences,  knowledge,  processes  and 
practices.  From  our  experience  with  companies  in  our  environment, 
most  of  the  ITSMS  implementations  analyzed  have  been  performed 
with  a  very  low  level  of  integration  with  existing  QMS.  Organizations 
need  to  be  aware  that  an  integrated  implementation  of  management 
systems  will  impact,  in  the  medium  term,  in  the  day  to  day  operation 
of  the  business,  resulting  in  a  reduction  of  workload  and  duplicities 
and  an  optimization  of  the  tasks  related  to  the  implementation  and 
maintenance  of  the  management  systems. 

In  order  to  satisfy  the  demand  of  organizations  that  already  have 
implemented  an  ISO  9001:2008  QMS  for  performing  an  integrated 
implementation  of  an  ITSMS  the  research  presented  in  this  paper  pursues 
the  following  goals: 

•  Determine  the  existence  of  standards  for  the  integration  of  manage¬ 
ment  systems. 

•  Evaluate  existing  initiatives  for  the  creation  of  an  IMS  that  integrates 
the  ISO  9001 :2008  QMS  and  the  ITSMS. 

•  Analyze  the  relations  between  the  requirements  of  the  ITSMS  and  the 
QMS. 

•  Define  guidelines  to  support  organizations  in  the  implementation  of 
an  IMS  that  integrates  the  ITSMS  and  the  QMS. 

This  paper  is  organized  as  follows.  In  Section  2,  the  existing  standards 
and  guides  for  the  integration  of  management  systems  are  identified.  In 
Section  3,  the  quality  management  system  of  ISO  9001 :2008  and  the  IT 
service  management  system  of  ISO/IEC  20000-1:2011  are  detailed.  In 
Section  4,  a  systematic  literature  review  of  initiatives  to  integrate  the 
ISO  9001 :2008  QMS  with  other  ITSMS  is  presented.  Section  5  analyzes 
the  existing  relations  between  the  requirements  of  both  management 
systems  and  provides  an  integrated  management  system  according  to 
ISO/IEC  20000-1  and  ISO  9001.  Section  6  describes  the  guide  that  has 
been  developed  to  support  companies  in  the  implementation  of  the  pro¬ 
vided  IMS  and  how  it  has  been  evaluated  in  service  companies.  Finally, 
conclusions  and  future  work  are  presented  in  Section  7. 

2.  Standards  for  management  systems  integration 

Since  the  first  goal  of  our  research  was  to  identify  the  existing  stan¬ 
dards  addressing  the  integration  of  management  systems,  this  section 
presents  the  standards  that  have  been  developed  for  this  purpose  during 
the  last  decade. 

In  2001,  ISO  published  a  manual  of  good  practices  for  management 
systems  integration  called  ISO  Guide  72:2001  Guidelines  for  the  justifi¬ 
cation  and  development  of  management  of  system  standards  [29],  ISO 
Guide  72:2001  provides  guidance 

•  for  justifying  and  evaluating  a  project  for  the  development  of  a  new 
management  system  standard  with  a  view  to  assessing  market  rele¬ 
vance, 

•  on  the  methodology  of  developing  and  maintaining  management 
system  standards  with  a  view  to  ensuring  compatibility  and  en¬ 
hancing  alignment,  and 

•  on  the  terminology,  structure  and  common  elements  of  management 
system  standards  with  a  view  to  ensuring  compatibility  as  well  as 
enhancing  alignment  and  ease  of  use. 


ISO  Guide  72:2001  categorize  the  common  elements  that  any 
management  system  provides  into  the  following  five  groups:  policy, 
planning,  implementation  and  operation,  performance,  and  improve¬ 
ment  and  management  review.  ISO  Guide  72:2001  has  been  used  as 
the  basis  for  multiple  management  systems,  such  as  ISO  9001,  ISO 
14001,  OHSAS  18001,  ISO  22000  and  ISO/IEC  27001.  While  each  stan¬ 
dard  has  its  own  specific  requirements,  these  six  categories  are  present 
in  all  cases. 

Some  of  the  countries  that  have  made  important  efforts  to  integrate 
management  systems  are  Australia/New  Zealand,  Spain  and  the  United 
Kingdom.  In  Australia  and  New  Zealand  the  standard  AS/NZS  458 1 : 1 999 
[30]  provides  guidance  to  identify  the  components  that  are  common  to 
all  management  systems.  The  standard's  goal  is  to  provide  a  guide  for  all 
management  systems  in  which  the  common  requirements  of  the  indi¬ 
vidual  systems  are  integrated  to  avoid  duplication  of  content  and  thus 
provide  a  uniform  basis  for  the  characteristics  of  each  individual  system. 

In  Spain,  AENOR  published  in  2005  the  standard  UNE  66177:2005 
[31  ],  which  provides  guidance  for  the  integration  of  management  sys¬ 
tems.  The  standard  consists  of  eight  chapters  and  five  appendices  that 
contain  guidelines  to  develop,  implement  and  evaluate,  through  review 
and  improvement  processes,  the  resulting  IMS.  Although  these  guide¬ 
lines  allow  easy  integration  of  management  systems  of  any  nature, 
the  standard  states  in  the  introduction  that  the  guidance  provided  spe¬ 
cifically  refers  to  ISO  9001,  ISO  14001and  OHSAS  18001,  as  they  were 
the  most  widespread  management  systems  at  the  time  of  publication 
of  the  standard. 

In  the  United  Kingdom,  the  British  Standards  Institution  (BSI) 
published  in  2006  the  PAS  99:2006  Publicly  Available  Specification  — 
Specification  of  common  management  system  as  a  framework  for 
Requirements  integration  [32],  It  consists  of  a  specification  of  common 
requirements  for  management  systems  and  a  framework  for  integra¬ 
tion.  It  was  developed  to  help  organizations  who  were  interested  in 
implementing  requirements  of  two  or  more  standards  in  an  integrated 
way.  The  structure  and  content  of  PAS  99:2006  were  developed  using 
the  same  pattern  used  for  any  new  management  system  standard, 
which  is  described  in  ISO  Guide  72:2001.  PAS  99:2006  introduces  a 
generic  framework  to  organize  in  an  integrated  manner  the  common 
requirements  of  standards  such  as,  for  example,  ISO  9001,  ISO  14001 
and  OHSAS  18001,  among  others. 

In  2008,  ISO  published  the  integrated  use  of  management  system 
standards  [33].  This  book  is  not  a  standard  or  specification  but  presents 
methodologies,  tools  and  practices  extracted  from  author’s  experience 
obtained  in  practical  cases.  It  addresses  some  of  the  ISO  management 
system  standards,  such  as  ISO  9001  for  quality  management, 
ISO  14001  for  environmental  management,  ISO  22000  for  food  safety, 
ISO  28000  for  supply  chain  security  and  ISO/IEC  27001  for  information 
security. 

3.  ISO  9001  and  ISO/IEC  20000-1  management  systems 

Since  ISO  9001 :2008  and  ISO/IEC  20000-1 :201 1  are  both  developed, 
maintained  and  refined  by  the  same  international  organization,  provide 
their  recommendations,  guidelines,  requirements  or  best  practices 
under  the  same  process  approach,  and  use  the  same  vocabulary  and 
terms,  there  are  a  large  number  of  relations  between  the  management 
systems  they  define  as  well  as  many  common  elements.  Due  to  these  re¬ 
lations,  we  took  as  a  reference  the  ITSMS  defined  by  the  ISO/IEC  20000- 
1:2011  standard. 

This  section  presents  the  management  systems  of  the  ISO  9001:2008 
and  ISO/IEC  20000-1 :201 1  standards,  describing  their  purpose,  objectives 
and  compatibility  with  other  standards. 

3.1.  ISO  9001:2008  quality  management  system 

ISO  9001 :2008  quality  management  systems  —  requirements  [4] 
promotes  the  adoption  of  a  process  approach  when  developing, 
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implementing  and  improving  the  effectiveness  of  a  Quality  Management 
System  (QMS),  to  enhance  customer  satisfaction  by  meeting  customer 
requirements.  It  enables  an  organization  to  align  or  integrate  its  own 
QMS  with  related  management  system  requirements. 

The  standard  is  structured  in  eight  clauses.  The  first  three  clauses 
deal  with  scope,  application  and  definitions.  Clauses  four  to  eight  are 
process-oriented  and  they  define  the  requirements  for  implementing 
a  QMS.  All  these  requirements  are  generic  and  are  intended  to  be  appli¬ 
cable  to  all  organizations,  regardless  of  type,  size  and  product  provided. 

ISO  9001 :2008  is  based  on  the  PDCA  (Plan-Do-Check-Act)  cycle,  also 
known  as  the  Deming  cycle.  PDCA  is  an  iterative  four-step  management 
method  used  in  business  for  the  control  and  continuous  improvement 
of  processes  and  products.  The  PDCA  cycle  is  the  operating  principle  of 
the  majority  of  ISO  management  systems. 

32.  ISO/IEC  20000-1 201 1  IT  service  management  system 

ISO/IEC  20000-1:2011  Information  technology  -  service  manage¬ 
ment  -  Part  1 :  Service  management  system  requirements  [6]  specifies 
requirements  for  the  service  provider  to  plan,  establish,  implement, 
operate,  monitor,  review,  maintain  and  improve  an  IT  Service  Manage¬ 
ment  System  (ITSMS).  These  requirements  include  the  design,  transi¬ 
tion,  delivery  and  improvement  of  services  to  fulfill  agreed  service 
requirements  and  provide  value  for  both  the  customer  and  the  service 
provider. 

ISO/IEC  20000-1:2011  is  also  based  on  the  PDCA  cycle  and  was 
originally  developed  to  reflect  best  practice  guidance  contained  within 
ITIL  [5],  although  it  equally  supports  other  IT  service  management 
frameworks  and  approaches,  including  some  components  of  COBIT  [8], 

ITIL  was  developed  by  the  U.K.  Office  of  Government  Commerce  in 
the  late  1980s  to  provide  guidance  on  what  should  be  done  in  order  to 
offer  users  adequate  IT  services  to  support  their  business  processes. 
ITIL  qualifications  are  available  for  individuals  but  until  recently  there 
was  no  way  for  an  IT  organization  to  prove  that  it  is  working  along  the 
ITIL  recommendations.  The  ISO/IEC  20000:2011  standard  was  con¬ 
ceived  to  fill  this  gap.  It  is  modeled  upon  the  principles  of  ITIL  and  allows 
IT  organizations  to  have  their  ITSMS  certified.  In  contrast  to  ITIL,  ISO/IEC 
20000-1 :201 1  does  not  offer  specific  advice  on  how  to  design  processes. 
It  is  rather  a  set  of  requirements  which  must  be  met  in  order  to  qualify 
for  certification. 

ISO/IEC  20000-1 :201 1  is  structured  in  nine  clauses.  As  ISO  9001,  the 
first  three  clauses  deal  with  scope,  application  and  definitions.  Clause 
four  defines  the  general  requirements  of  an  ITSMS.  Clause  five  defines 
the  requirements  for  the  design  and  transition  of  new  or  changed 
services.  Clauses  six  to  nine  are  process-oriented  and  define  the  service 
delivery,  control,  resolution  and  relationship  processes. 

Table  1  shows  the  correspondence  between  ISO/IEC  20000-1:2011 
sections  and  ITIL  201 1  processes.  As  ITIL  focuses  on  the  life  cycle  of  ser¬ 
vices,  but  offers  less  guidance  on  establishing  and  operating  the  ITSMS 
itself,  it  is  at  times  not  straightforward  to  map  ITIL  and  ISO/IEC  20000- 
1:2011,  especially  Sections  4  and  5.  In  those  cases  (marked  with  an 
asterisk),  various  ITIL  processes  together  can  be  used  to  fulfill  the 
requirements. 

4.  Systematic  literature  review  of  management  systems  integration 
initiatives 

This  section  presents  a  systematic  literature  review  of  all  the  existing 
initiatives  to  integrate  the  QMS  and  the  ITSMS.  The  research  is  under¬ 
taken  following  the  guidelines  proposed  by  Kitchenham  [34,35]  and 
the  review  protocol  template  developed  by  [36]  which  describes  each 
phase  of  the  systematic  review  process  in  terms  of  template  sections. 
The  protocol  used  for  the  systematic  review  is  composed  of  five  differ¬ 
ent  stages:  Question  Formularization,  Selection  of  Sources,  Selection  of 
Studies,  Information  Extraction  and  Results  Summarization.  These  five 
stages  are  detailed  in  the  next  sections. 


Table  1 

Correspondence  between  ISO/IEC  20000-1 :201 1  sections  and  ITIL  processes. 


ISO/IEC  20000-1 :201 1  chapter  Correspondence  with  ITIL 

4  Service  management  system  general  requirements 

4.1  Management  responsibility 

4.2  Governance  of  processes 
operated  by  other  parties 

4.3  Documentation  management 


.4  Resource  management 


4.5.1  Define  scope 

4.5.2  Plan  the  SMS  (Plan) 

4.5.3  Implement  and  operate  the  SMS 
(Do) 

4.5.4  Monitor  and  review  the  SMS 
(Check) 

4.5.5  Maintain  and  improve  the  SMS 
(Act) 

5  Design  and  transition  ofne 


Service  level  management 
Service  strategy* 

Service  design* 

Strategy  management  for  IT  services 
Service  design* 

Service  operation* 

Continual  service  improvement* 
Service  strategy*  Service  design*  and 
Continual  service  improvement* 


w  or  changed  services 


5.3  Design  and  development  of  net 
or  changed  services 

5.4  Transition  of  new  or  changed 

6  Service  delivery  processes 

6.1  Service  level  management 

6.2  Service  reporting 

6.3  Service  continuity  and 


Design  coordination 

Service  strategy* 
Service  design* 
Service  transition* 
Service  design* 
Service  transition* 
Service  transition* 


Service  level  management 
Service  level  management 
IT  service  continuity  management 
and  Availability  management 


6.3.1  Service  continuity  and 
availability  requirements 

6.3.2  Service  continuity  and 
availability  plans 

63.3  Service  continuity  and 
availability  monitoring  and  testing 

6.4  Budgeting  and  accounting  for  IT  Financial  management  for  IT  services 

6.5  Capacity  management 

6.6  Information  security 
management 

6.6.1  Information  security  policy 

6.6.2  Information  security  controls 

6.6.3  Information  security  changes  and 
incidents 


Capacity  management 


7  Relationship  processes 

7.1  Business  relationship 
management 

7.2  Supplier  management 

8  Resolution  processes 

8.1  Incident  and  service  request 
management 

8.2  Problem  management 

9  Control  processes 

9.1  Configuration  management 

9.2  Change  management 

9.3  Release  and  deployment 
management 


Business  relationship  management 
Supplier  management 

Incident  management  and  request 
fulfillment 

Problem  management 

Service  asset  and  configuration 

management 

Change  management 

Release  and  deployment  management 


4.1.  Question  formularization 

During  the  first  stage,  the  research  objectives  and  the  necessary  steps 
to  carry  it  out  are  defined.  With  the  aim  of  defining  the  context  in  which 


I  ,-L  Mesquida,  A  Mas  /  Computer  Standards  &  Interfaces  37(2015)  80-91 


the  systematic  review  is  applied,  the  protocol  suggests  to  specify  a  set  of 
items.  In  our  particular  case,  each  item  has  been  defined  specifically  for 
identifying  studies  dealing  with  the  integration  of  the  ISO  9001  quality 
management  system  and  the  IT  service  management  system. 

•  Problem:  The  organizations  that  have  implemented  the  ISO  9001  stan¬ 
dard  and  want  to  implement  an  IT  service  management  system  must 
meet  certain  requirements  that  have  already  partially  or  fully  imple¬ 
mented,  which  implies  a  task  repetition. 

•  Question:  What  initiatives  based  on  integrating  ISO  9001  and  ISO/IEC 
20000-1  management  systems  exist? 

•  Keywords  and  synonyms:  ISO  9001,  Quality  Management  System 
(QMS),  ISO/IEC  20000-1,  ISO  20000,  ITIL,  IT  Service  Management 
System  (ITSMS),  Integrated  Management  System  (IMS). 

•  Intervention:  Analyze  existing  integrated  management  systems 
covering  the  requirements  of  the  ISO  9001  QMS  and  an  ITSMS. 

•  Control:  There  are  no  initial  data  for  this  systematic  review. 

•  Effect:  Identify  all  the  initiatives,  frameworks  and  models  defining 
an  IMS  according  to  the  requirements  of  ISO  9001  and  an  IT  service 
management  system. 

•  Outcome  measure:  The  number  of  identified  studies,  initiatives  and 
IMS  models. 

•  Population:  The  set  of  research  proposals  and  papers  related  to  IMS 
according  to  ISO  9001  and  ITIL  or  ISO/IEC  20000-1  which  have  been 
published  in  the  list  of  sources  selected  for  conducting  the  systematic 
review. 

•  Application:  Organizations  of  all  types  and  sizes  which  have  imple¬ 
mented  the  ISO  9001  QMS  and  are  interested  in  minimizing  the  im¬ 
plementation  efforts  to  adopt  the  ITSMS.  Researchers  working  on 
quality  models  or  on  IT  service  management. 

•  Experimental  design:  None  statistical  analysis  methods  will  be  applied. 


4.2.  Selection  of  sources 

To  perform  the  selection  of  the  sources  where  searches  for  primary 
studies  will  be  executed,  the  systematic  review  protocol  proposes  to  ad¬ 
dress  the  following  issues:  definition  of  source  selection  criteria  and 
identification  of  sources,  selection  of  the  language  of  the  studies,  and 
definition  of  search  strings. 

With  regard  to  source  selection  criteria,  the  following  criteria  have 
been  defined:  publishing  companies  or  websites  suggested  by  experts, 
high-impact  publications,  availability  of  search  mechanisms  using 
keywords,  non-variability  in  search  results  by  using  the  same  set  of 
keywords  and  availability  on  the  Web.  The  sources  have  been  identified 
on  the  basis  of  the  judgment  of  the  authors  of  this  paper.  Taking  into 
account  the  defined  sources  selection  criteria  the  list  of  selected  sources 
is  shown  in  Table  2.  This  list  of  sources  includes  relevant  journals  in 
which  quality  management  and  IT  service  management  research  areas 
are  widely  dealt  with. 

Concerning  language  studies,  the  obtained  primary  studies  must  be 
written  in  English  or  Spanish. 


Table  2 

List  of  sources. 


Source  Name  Web  site 


1  ACM  Portal  (Digital  Library  & 

2  CiteSeerX 

3  Google  Scholar 

4  IEEE  Computer  Society  Digital 
Library 

5  IEEE  Xplore 

6  IET  Digital  Library 

7  SAGE  Journals 

8  ScienceDirect 

9  Springer  Link 

10  Wiley  InterScience 


http://portal.acm.org/portai.cfm 

http  ://citeseerx.ist.psu.edu 
http  ://scholar.google.com 
http://www.computer.org/portal/ 
web/csdl 

http://ieeexplore.ieee.org 

http://www.ietdl.org 

http://online.sagepub.com/ 

http://www.sciencedirect.com 

http://www.springerlink.com 

http://www.interscience.wiley.com 


By  taking  the  list  of  keywords  defined  in  Section  4.1  and  making 
combinations  with  the  logical  operators  “AND”  and  “OR",  the  search 
strings  shown  in  Table  3  have  been  obtained.  To  carry  out  the  searches, 
these  search  strings  need  to  be  adapted  to  each  of  the  search  engines  of 
the  selected  sources. 


4.3.  Selection  of  studies 

Once  the  sources  are  defined,  it  is  necessary  to  describe  the  process 
and  the  criteria  for  studies  selection  and  evaluation.  The  criteria  by 
which  studies  will  be  evaluated  to  decide  if  they  must  be  selected  or 
excluded  in  the  context  of  the  systematic  review  were  defined  by  the 
authors  of  the  paper  taking  into  account  Kitchenham's  proposals.  These 
criteria,  Inclusion  Criteria  (IC)  and  Exclusion  Criteria  (EC),  are  shown  in 
Table  4. 

The  process  performed  to  obtain  and  evaluate  primary  studies 
according  to  the  defined  inclusion  and  exclusion  criteria  is  illustrated 
as  a  flow  diagram  in  Fig.  1.  This  flow  diagram  shows  two  main  groups 
of  activities.  The  goal  of  the  first  group  is  the  selection  of  primary  studies. 
The  second  group  of  activities  aims  to  extract  the  information  of  the  se¬ 
lected  primary  studies.  Information  extraction  will  be  presented  later  in 
Section  4.4. 

With  regard  to  the  selection  of  primary  studies,  the  analysis  of  the 
title  and  the  keywords  will  be  the  main  inclusion  criteria.  In  case  this  in¬ 
formation  is  not  enough  to  decide  about  the  inclusion  or  the  exclusion  of 
the  study  then  the  abstract  will  be  also  analyzed  and  the  full  text,  if 
necessary.  Initially  all  types  of  primary  studies  related  to  the  definition 
or  application  of  an  integrated  management  system  will  be  taken  into 
account.  More  concretely,  the  focus  will  be  on  studies  presenting  an 
IMS  covering  the  requirements  of  ISO  9001  and  ITIL  or  ISO/IEC  20000-1 . 

Table  5  shows  the  distribution  of  the  studies  obtained  from  each 
search  source.  As  a  result  of  the  search  execution  1244  studies  were  ob¬ 
tained  for  further  evaluation.  Table  5  shows  the  number  of  initial  studies 
obtained  from  each  source  (see  the  column  “Discovered”). 

After  applying  the  inclusion  criteria  IC1,  IC2,  IC3  and  IC4,  defined  in 
Table  4,  only  96  of  the  1244  discovered  articles  were  considered  as  rele¬ 
vant  articles.  Applying  the  criterion  EC2  for  the  exclusion  of  duplicated  ar¬ 
ticles,  only  61  articles  were  obtained.  From  these,  applying  the  criterion 
EC1,  finally  only  4  articles  were  selected  as  primary  studies.  These  results 
are  shown  in  the  last  row  of  Table  5.  The  complete  list  of  selected  primary 
studies  is  presented  in  Table  6.  This  primary  study  selection  has  been 
reviewed  by  the  authors  in  order  to  guarantee  the  quality  of  the  included 
studies. 


4.4.  Information  extraction 

Once  primary  studies  are  selected,  the  extraction  of  relevant  infor¬ 
mation  begins.  The  criteria  by  which  the  information  obtained  from 
the  studies  should  be  included  were  defined.  These  information  inclu¬ 
sion  criteria  (ICinf)  are  presented  in  Table  7. 

To  analyze  the  data  obtained  from  the  selected  primary  studies  and 
to  standardize  the  way  in  which  information  should  be  registered,  an  in¬ 
formation  extraction  form  was  designed  in  order  to  meet  our  particular 
research  goals.  This  form  was  used  to  record  comments,  impressions 
and  the  most  important  ideas  from  each  primary  study.  The  structure 
and  contents  of  this  form  are  based  on  the  information  extraction 


Table  3 

Search  strings. 


Search  strings 

1  ((“ISO  9001”  or  (“ITIL”  or  “ISO  20000"))  and  (“IMS"  or  "integrated  management 
system")) 

2  ((“QMS"  or  “quality  management  system")  and  (“ITSMS"  or  “SMS"  or  “service 
management  system")  and  (“IMS"  or  “integrated”)) 


IC4  Include  papers  that  contain  information  related  to  the  definition  or 
application  of  an  integrated  management  system 
EC1  Exclude  those  papers  that  refer  to  the  ISO  9001  QMS  and  to  the  ITIL  or 
ISO/IEC  20000-1 ITSMS  separately,  without  showing  any  kind  of  rela¬ 
tionship  between  both  management  systems  or  between  their 
requirements 

EC2  Exclude  all  duplicated  papers 


format  proposed  in  Ref.  [41  ].  Table  8  shows,  for  each  primary  study,  the 
content  of  the  conclusions  field  of  the  information  extraction  form. 


4.5.  Results  summarization 

The  last  stage  of  the  systematic  review  protocol  aims  to  present  the 
data  and  conclusions  resulting  from  the  selected  primary  studies.  After 


the  systematic  review  execution,  1244  studies  were  discovered  and  4 
of  them  were  considered  primary  studies. 

The  obtained  results  show  the  trend  in  recent  years  to  integrate  dif¬ 
ferent  management  systems.  The  obtained  primary  studies  identify  and 
determine  the  main  reasons  for  integration  and  define  frameworks  and 
guidelines  in  very  abstract  terms.  These  models  provided  are  defined  at 
a  very  high  level,  using  a  theoretical  perspective.  None  of  them  provide 
specific  and  concrete  operational  procedures  that  can  be  useful  for  orga¬ 
nizations  to  implement  an  IMS  according  to  ISO  9001  and  ITIL  or  ISO/IEC 
20000-1. 

Since  integration  must  be  performed  at  the  level  of  processes  and 
requirements,  the  analysis  of  the  requirements  of  the  management 
systems  to  be  integrated  is  a  key  factor  for  a  successful  integration. 
The  selected  primary  studies  do  not  directly  address  the  requirements 
of  the  two  management  systems  to  be  integrated. 

In  conclusion,  primary  studies  resulting  from  the  systematic  review 
process  cannot  be  used  as  a  starting  point  to  meet  the  goal  set  by  this 
research  project. 


5.  ISO  9001  and  ISO/IEC  20000-1  integrated  management  system 

This  section  describes  the  IMS  obtained  from  the  relations  between 
the  requirements  of  the  ISO  9001 :2008  QMS  and  ISO/IEC  20000-1 :201 1 
ITSMS. 
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Table  5 

Distribution  of  studies  by  source. 


Search  date  Discovered  Relevant 


ACM  Portal  (Digital  Library  &  Guide) 

CiteSeerX 

Google  Scholar 

IEEE  Computer  Society  Digital  Library 

IEEE  Xplore 

IET  Digital  Library 

SAGE  Journals 

Springer  Link 
Wiley  InterScience 


2013/08/26  41 

2013/08/26  30 

2013/08/27  1023 

2013/08/26  10 

2013/08/26  39 

2013/08/28  5 

2013/08/28  1 

2013/08/29  33 

2013/08/30  17 

2013/08/30  45 

Total  1244 


10 


12 

96 


Not  repeated  Primaries 


5.1.  Research  method 

The  first  step  of  the  research  consisted  on  the  study  of  the  two  stan¬ 
dards  in  order  to  observe  if  the  management  systems  they  define  could 
be  integrated.  Both  standards  explicitly  refer  to  the  compatibility  with 
other  management  systems.  ISO  9001  does  not  include  requirements 
specific  to  other  management  systems  but  enables  an  organization  to 
align  or  integrate  its  own  QMS  with  related  management  system  re¬ 
quirements.  1SO/IEC  20000-1  enables  a  service  provider  to  integrate  its 
ITSMS  with  other  management  systems  in  the  service  provider's  organi¬ 
zation.  The  adoption  of  an  integrated  process  approach  and  the  PDCA 
methodology  enables  the  service  provider  to  align  or  fully  integrate 
multiple  management  system  standards.  Therefore,  we  corroborated 
that  the  1SO/IEC  20000-1  ITSMS  could  be  integrated  with  the  ISO  9001 
QMS. 

The  research  followed  an  integration  iterative  strategy  called  integra¬ 
tion  by  conversion,  which  allows  any  organization  to  reduce  the  human 
resources,  budget  and  time  necessary  for  planning,  implementing  and 
maintaining  a  new  management  system  [12,17],  This  type  of  integration 
takes  as  a  base  the  existing  management  system  and  expands  it  with  the 
elements  or  requirements  of  the  new  management  system  to  be  integrat¬ 
ed.  In  our  research,  the  relations  and  connections  between  each  ISO/IEC 
20000-1  ITSMS  requirement  and  the  ISO  9001  QMS  requirements  were 
thoroughly  examined.  The  final  version  of  the  mapping  between  the 
two  standards  is  the  result  of  a  successive  refinement  process  performed 
in  three  stages  as  shown  in  Fig.  2. 

•  With  the  objective  of  sharing  the  knowledge  and  the  different  points 
of  view  among  the  authors,  during  the  first  stage  (joint  analysis) 
both  standards  were  analyzed  by  the  authors  in  group.  Since  it  was 
not  possible  to  perform  a  complete  mapping  in  only  one  session,  dif¬ 
ferent  meetings  were  necessary  in  order  to  obtain  a  first  preliminary 
version  of  the  mapping.  During  each  meeting  two  or  three  ISO/IEC 
20000-1  clauses  were  analyzed.  More  specifically,  taking  into  account 
that  each  clause  is  composed  of  different  requirements,  for  each  re¬ 
quirement  its  description  was  analyzed  in  depth.  It  should  be  noted 
that  the  authors'  knowledge  of  the  ISO  9001  standard  facilitated  the 
initial  selection  of  the  set  of  clauses  related  to  the  requirement 
under  consideration.  After  a  detailed  analysis  of  the  requirements  of 


Table  6 

List  of  primary  studies  in  the  systematic  review. 

1  Integrated  management  systems  -  requirement 
of  contemporary  business  practices  [37] 

2  Integrated  information  management  systems  - 
security  and  protection  of  information  [38] 

3  Integrated  installing  ISO  9000  and  ISO  27000 
management  systems  on  an  orgamzanon  [39] 

4  The  development  of  business  standardization 
and  integrated  management  systems  [40] 


Chi-Hsiang  Wang  and 
Dwen-Ren  Tsai 
Vidosav  D.  Majstorovic  and 
Valentina  MannKovrc 


the  ISO  9001  selected  clauses,  it  was  possible  to  determine  the  exis¬ 
tence  or  not  of  a  connection  between  the  ISO/IEC  20000-1  require¬ 
ment  and  a  particular  ISO  9001  requirement. 

•  During  the  second  stage,  with  the  intention  of  consolidating  the 
results  obtained  after  the  meetings,  these  results  were  individually 
re-examined  by  each  author  to  confirm  the  decisions  reached  or,  on 
the  contrary,  to  make  some  modifications  to  the  initial  version  of  the 
mapping. 

•  Finally,  during  the  joint  review  stage  the  individual  proposals  of  each 
author  were  carefully  discussed  in  order  to  reach  a  general  consensus 
to  accept  or  reject  each  proposal. 

To  ensure  good  traceability  between  standards,  this  iterative  strategy 
was  also  performed  in  the  opposite  direction,  that  is,  comparing  the  ISO 
9001  QMS  requirements  with  the  ISO/IEC  20000-1  ITSMS  requirements, 
not  only  in  terms  of  requirements,  but  also  conceptually. 

5.2.  Analysis  of  the  relations  between  ISO  9001  and  ISO/IEC  20000-1 
management  systems 

After  conducting  a  thorough  analysis  of  all  the  requirements  of  both 
management  systems  three  different  types  of  relations  were  identified: 

•  Full  relation  (F).  The  ISO/IEC  20000-1  requirement  is  already  covered 
by  the  requirements  of  the  ISO  9001  QMS.  In  this  case,  any  specific  as¬ 
pect  concerning  IT  service  management  should  not  be  added  to  the 
implemented  QMS  when  defining  the  new  IMS.  An  example  of  this 
kind  of  relation  can  be  found  in  clause  4.3.1  Establish  and  maintain 
documents  of  ISO/IEC  20000-1 :201 1 ,  which  states  “The  service  provider 
shall  establish  and  maintain  documents,  including  records,  to  ensure 
effective  planning,  operation  and  control  of  the  SMS".  However,  this 
requirement  is  already  covered  by  ISO  9001:2008  in  its  clause  4.2.1 
General  d)  “The  quality  management  system  documentation  shall  in¬ 
clude  documents,  including  records,  determined  by  the  organization 
to  be  necessary  to  ensure  the  effective  planning,  operation  and  control 
of  its  processes”. 

•  Partial  relation  (P).  The  ISO/IEC  20000-1  requirement  expands  some 
of  the  ISO  9001  QMS  requirements  with  particular  aspects  of  IT 
service  management.  An  example  of  this  kind  of  relation  is  the  case 
of  requirements  related  to  management  commitment,  which  are 
defined  in  clause  5.1  Management  commitment  of  ISO  9001:2008. 


Table  7 

Definition  of  information  inclusion  criteria. 

Criterion  Description 

IClinf  Identify  existent  Integrated  Management  Systems  (IMS)  initiatives 
IC2Inf  Identify  methodologies,  techniques,  methods  and  procedures  for  IMS 
implementation  and  maintenance 

IC3i„f  Collect  information  about  the  relationships  between  the  requirements 
of  the  management  systems  that  are  integrated 
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Table  8 

Conclusions  extracted  from  primary  studies. 


Primary  study 


Conclusions  field  of  the  information  extraction  form 


Integrated  management  systems  -  requirement  of 
contemporary  business  practices  [37] 


Integrated  information  management  systems  —  security 
and  protection  of  information  [38] 


Integrated  installing  ISO  9000  and  ISO  27000  management 
systems  on  an  organization  [39] 


The  Development  of  Business  Standardization  and 
Integrated  Management  Systems  [40] 


This  paper  provides  an  approach  to  the  integration  of  different  standard  requirements,  based  on  the  interrelation  of 
mutually  connected  business  processes.  Integration  of  several  systems  into  one  is  more  efficient  and  economical 
than  developing  and  implementing  separate  systems.  The  paper  presents  and  explains  several  key  definitions 
related  to  integration  aspects.  Orientation  toward  business  processes  is  the  key  to  integration. 

This  paper  tries  to  find  consensus  in  three  different  types  of  the  management  systems:  the  quality  management 
system,  the  IT  service  management  system  and  the  information  security  management  system.  An  aim  is  to 
compose  a  complex  framework  based  on  advantages  and  synergies.  Author's  experience  with  integrations  of  the 
three  types  of  the  management  systems  into  one  consistent  information  management  framework  is  described.  The 
integration  is  based  on  similarities  of  the  management  systems  especially  on  the  PDCA  Model,  which  is  a  key 
shared  principle.  The  second  principle  is  an  effort  to  incorporate  information  risks  into  each  type  of  systems. 

In  this  paper,  an  integrated  management  system  model  suitable  for  ISO  9001,  ISO  27001  and  other  PDCA  based 
implementations  is  built.  This  integrated  system  model  may  facilitate  the  management  efficiency  of  organizations 
complied  with  multiple  PDCA  based  management  systems.  This  integrated  research  work  intends  to  realize  the 
PDCA  cyclic  management  mechanism  for  integrated  ISO  management  systems. 

The  basic  question  that  is  arisen  in  this  paper  is  how  to  apply  ISO  standards  in  an  integrated  fashion.  This  paper 
deals  with  the  development  of  individual  models  of  business  standardization,  and  their  integration  in  the  design 
and  implementation  of  IMS,  from  the  viewpoint  of  quality  management  requirements,  environmental  protection, 
the  safety  and  health  protection  of  employees  and  some  other  demands. 


“Top  management  shall  provide  evidence  of  its  commitment  to  the 
development  and  implementation  of  the  quality  management  system 
and  continually  improving  its  effectiveness  by  a)  communicating  to 
the  organization  the  importance  of  meeting  customer  as  well  as  stat¬ 
utory  and  regulatory  requirements,  b)  establishing  the  quality  policy, 
c)  ensuring  that  quality  objectives  are  established,  d)  conducting 
management  reviews,  and  e)  ensuring  the  availability  of  resources". 
In  this  case,  this  ISO  9001  QMS  requirement  should  be  extended 
with  specific  aspects  of  IT  service  management,  detailed  in  clauses 
4.1  A  Management  commitment  b),  c)  and  g)  of  ISO/IEC  20000- 
1 :2011 :  “Top  management  shall  provide  evidence  of  its  commitment 
to  planning,  establishing,  implementing,  operating,  monitoring, 
reviewing,  maintaining,  and  improving  the  SMS  and  services  by: 

b)  ensuring  that  the  service  management  plan  is  created,  implement¬ 
ed  and  maintained  in  order  to  adhere  to  the  policy,  achieve  the  objec¬ 
tives  for  service  management  and  fulfill  the  service  requirements; 

c)  communicating  the  importance  of  fulfilling  service  requirements; 
and  g)  ensuring  that  risks  to  services  are  assessed  and  managed”. 

•  Nonexistence  of  relation  (‘  ’).  When  ISO/IEC  20000-1  adds  new  re¬ 
quirements  specific  to  IT  service  management  not  covered  by  the 
ISO  9001  QMS.  An  example  of  this  kind  of  relation  can  be  found  in 
clauses  4.5.1  to  4.5.5  of  ISO/IEC  20000-1:2011  (4.5.1  Define  scope, 
4.5.2  Plan  the  SMS  (Plan),  4.5.3  Implement  and  operate  the  SMS  (Do), 
4.5.4  Monitor  and  review  the  SMS  (Check)  and  4.5.5  Maintain  and 
improve  the  SMS  (Act))  which  detail  the  actions  needed  to  establish 
an  ITSMS  and  extend  with  specific  aspects  and  issues  of  IT  service 
management  the  definitions  of  the  four  stages  of  the  PDCA  cycle. 

53.  ISO  9001  and  ISO/IEC 20000-1  integrated  management  system 

Table  9  shows  the  ISO  9001  and  ISO/IEC  20000-1  IMS.  The  first 
column  contains  all  the  clauses  of  ISO  9001  requirements.  The  values 
defined  in  the  second  column,  type  of  relation,  represent  the  existing  re¬ 
lation  with  the  ITSMS  requirements  of  ISO/IEC  20000-1,  as  shown  in  the 
third  column.  These  values  are  indicative,  since  not  all  organizations 
give  the  same  importance  or  weight  to  the  same  requirements  within 


Fig.  2.  The 


mapping  process  flow. 


their  custom  management  systems.  It  has  to  be  noted  that  the  standards 
defining  management  systems  specify  what  should  be  met,  but  not 
how. 

An  organization  with  an  ISO  9001  QMS  wishing  to  implement  the 
ISO/IEC  20000-1  ITSMS  will  have  to  widen  the  scope  of  the  existing 
QMS  by  considering  the  requirements  of  ISO  20000  partially  (P)  related 
and  integrate  all  the  other  applicable  ITSMS  requirements  that  do  not 
appear  on  the  third  column  of  the  table.  As  a  result,  the  organization 
will  have  implemented  an  IMS  with  a  substantial  reduction  of  duplici¬ 
ties  and  inconsistencies  and  an  important  saving  of  effort  and  resources 
at  the  time  of  implementation. 

6.  Guide  to  support  the  implementation  of  an  integrated  IT  service 
management  system 

The  final  result  of  the  conducted  research  has  been  a  guide  to  support 
organizations  in  effectively  implementing  an  ISO/IEC  20000-1  ITSMS  in¬ 
tegrated  with  the  existing  ISO  9001  QMS.  This  guide  is  named  “IT  Service 
Management  —  Guidelines  for  the  implementation  of  ISO/IEC  20000- 
1:2011  from  ISO  9001:2008”. 

The  guide  follows  the  philosophy  and  structure  used  by  the  ISO 
when  providing  guidance  for  organizations  in  the  application  of  ISO 
9001,  such  as  ISO/IEC  90003:2004  Software  engineering  —  Guidelines 
for  the  application  of  ISO  9001:2000  to  computer  software  [42]  and 
ISO/IEC  TR  90005:2008  Systems  engineering  -  Guidelines  for  the  appli¬ 
cation  of  ISO  9001  to  system  life  cycle  processes  [43],  These  two  docu¬ 
ments  provide  guidance  for  organizations  in  the  application  of  ISO 
9001:2000  to  the  acquisition,  supply,  development,  operation  and 
maintenance  of  computer  software  and  systems,  respectively. 

In  2008,  ISO  initiated  a  new  project  called  ISO/IEC  NP  90006  Informa¬ 
tion  technology  —  Guidelines  for  the  application  of  ISO  9001 :2000  to  IT 
service  management  [44]  to  develop  a  guide  for  the  application  of  ISO 
9001  to  IT  service  management.  However,  some  years  after,  this  standard 
is  still  under  development. 

For  each  ISO  9001 :2008  requirement  the  guide  provides: 

•  The  title  and  content  of  the  ISO/IEC  9001 :2008  clause, 

•  The  type  of  relation  with  ISO/IEC  20000-1 :201 1, 

•  A  detailed  explanation  of  the  ITSMS  requirements  to  be  added  to  the 
QMS  requirements  already  implemented  within  the  organization  and 

•  The  text  of  the  related  ISO/IEC  20000-1 :201 1  requirement/s.  This  in¬ 
formation  is  shown  only  in  the  case  of  a  partial  relation. 

It  has  to  be  noted  that,  even  being  the  most  important  result  of  the 
research  performed,  the  guide  is  not  presented  because  of  its  extension 
(49  pages).  However,  with  the  aim  of  illustrating  the  usage  of  the  guide, 
Fig.  3  shows  an  excerpt  for  a  particular  ISO  9001  requirement.  In  order 
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Table  9  (continued) 


ISO  9001 :2008  Type  of  relation  ISO/IEC  20000-1 :201 1 

Continual  improvement  8.5.1  P  4.5.5  Maintain  and  improve  the  SMS  (Act) 

Corrective  action  8.5.2 

Preventive  action  8.5.3 


IT  Service  Management  -  Guidelines  for  the  implementation  of  ISO/IEC  20000- 1:201 1  from  ISO  900  i  :2008 


5  MANAGEMENT  RESPONSIBILITY 

ISO  9001:2008  Quality  management  systems  -  Requirements 

5.1  Management  commitment 

Top  management  shall  provide  evidence  of  its  commitment  to  the  development  and 
implementation  of  the  quality  management  system  and  continually  improving  its 
effectiveness  by 

a)  communicating  to  the  organization  the  importance  of  meeting  customer  as  well  as 
statutory  and  regulatory  requirements, 

b)  establishing  the  quality  policy, 

c)  ensuring  that  quality  objectives  are  established, 

d)  conducting  management  reviews,  and 

e)  ensuring  the  availability  of  resources. 


Relation 

Partial  relation.  There  are  some  ISO/IEC  20000-1  IT  service  management  system 
requirements  that  expand  the  ISO  9001  quality  management  system  requirements. 


Comments 

Three  new  requirements  (4. l.l.b,  4. l.l.c  and  4.1.1  ,g)  should  be  added  to  the  ISO  9001 
Management  commitment  requirements  in  order  to  enable  an  effective  implementation 
and  management  of  all  IT  services.  The  first  one  ensures  that  the  service  management 
plan  adheres  to  the  policy,  achieve  the  objectives  for  service  management  and  fulfil  the 
service  requirements.  The  second  requirement  is  related  to  the  communication  of  the 
importance  of  fulfilling  service  requirements.  The  last  one  ensures  that  service 
management  risks  are  assessed  and  managed. 


Text  of  the  ISO/IEC  20000-1:2011  related  requirement/s 

4  SERVICE  MANAGEMENT  SYSTEM  GENERAL  REQUIREMENTS 

4.1  Management  responsibility 

4. 1. 1  Management  commitment 

Top  management  shall  provide  evidence  of  its  commitment  to  planning,  establishing, 
implementing,  operating,  monitoring,  reviewing,  maintaining,  and  improving  the  SMS 
and  services  by: 

b)  ensuring  that  the  service  management  plan  is  created,  implemented  and  maintained 
in  order  to  adhere  to  the  policy,  achieve  the  objectives  for  service  management  and 
fulfil  the  service  requirements; 

c)  communicating  the  importance  of  fulfilling  service  requirements: 
g)  ensuring  that  risks  to  services  are  assessed  and  managed. 
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Fig.  3.  Excerpt  of  the  guide  "IT  Service  Management  -  Guic 


:  implementation  of  ISO/IEC  20000-1:2011  from  ISO  9001:2008". 
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Table  10 

Characteristics  of  interviewed  organizations. 


Case  Interviewee  role 

A  IT  manager 

B  IT  manager 

C  IT  manager 

D  IT  manager 

E  IT  manager 


Size  Core  business 


Medium  IT  services 

Medium  IT  services 

Medium  Software  solutions 


Client  sector  ITIL 

Tourism  V3 

Tourism  V3 

Tourism 

Society 


QMS  Location 


ISO  9001  Spain 

EFQM 

ISO  9001  Spain 

Spain 

ISO  9001  Spain 

ISO  9001  Spain 


to  improve  the  comprehension  of  the  work  done,  we  have  selected  as  an 
example  the  requirements  of  clause  5.1  Management  commitment  of  ISO 
9001,  whose  relations  have  already  been  discussed  in  Section  5.2. 

In  order  to  complete  the  IMS,  the  guide  also  lists  the  ISO/IEC  20000-1 
ITSM  requirements  which  are  not  related  to  any  requirement  of  the  ISO 
9001  QMS,  and  should  be  implemented  as  indicated  in  the  ISO/IEC 
20000-1  standard. 

6.1.  Application  of  the  guide 

The  guide  to  support  the  implementation  of  an  integrated  ITSMS  has 
a  double  application.  It  could  be  used,  on  the  one  hand: 

•  To  facilitate  the  implementation  of  the  ISO/IEC  20000-1  standard  in 
organizations  which  are  or  have  been  involved  in  a  quality  initiative 
according  to  ISO  9001  or,  on  the  other  hand, 

•  To  facilitate  the  simultaneous  implementation  of  both  ISO/IEC  20000-1 
and  ISO  9001  standards,  avoiding  the  repetition  of  similar  tasks  includ¬ 
ed  in  both  standards,  and  therefore,  reducing  the  amount  of  effort  re¬ 
quired  by  the  organization. 

In  both  cases,  for  each  of  the  ISO/IEC  20000-1  ITSMS  requirements, 
the  guide  proposes  a  set  of  actions  on  the  ISO  9001  quality  management 
system  to  meet  the  IT  service  management  issues  of  the  related 
requirements. 

6.2.  Evaluation  of  the  guide  in  service  companies 

The  guide  was  evaluated  using  semi-structured  face-to-face  inter¬ 
views  in  five  different  organizations.  Table  10  provides  an  overview  of 
the  interviewed  organizations.  To  maintain  confidentiality,  the  organi¬ 
zations  are  referred  to  as  Case  A  to  D. 

The  respondents  in  the  five  organizations  were  the  managers  of  the  IT 
departments.  Based  on  the  categorization  of  the  European  Commission 
[45],  all  companies  are  medium-sized  (50-249  staff).  Three  interviewed 


organizations  have  significant  links  with  the  tourism  sector,  as  they  all 
provide  IT  services  to  the  tourism  industry.  Tourism  is  a  service¬ 
intensive  industry  that  is  dependent  on  the  quality  of  customers'  service 
experiences  and  consumption  occurs  in  interaction  with  the  suppliers  of 
those  services  [46,47],  Case  D  is  a  local  public  administration  that 
provides  services  primarily  in  the  environment,  welfare  facilities  and 
urbanism  sectors.  Case  E  is  a  hospital  center  that  provides  health  services 
to  its  customers. 

All  the  interviewed  organizations  have  a  strong  commitment  to 
quality  and  were  chosen  by  the  researchers  for  the  guide  evaluation  be¬ 
cause  they  have  conducted  process  improvement  initiatives  in  various 
knowledge  areas  at  different  organizational  levels.  Two  of  the  three 
interviewed  organizations  use  ITIL  as  a  reference  framework  (A,  B). 
Four  of  the  interviewed  organizations  are  certified  to  the  ISO  9001  quality 
management  system  (A,  B,  D,  E)  and  the  EFQM  Excellence  Model  is 
followed  in  Case  A. 

As  four  companies  (A  B,  D,  E)  had  already  got  the  ISO  9001  certifica¬ 
tion,  they  applied  the  guide  in  order  to  validate  its  usefulness,  complete¬ 
ness,  and  suitability  when  integrating  the  ISO/IEC  20000-1  ITSMS 
requirements.  They  used  the  guide  to  identify  and  validate  the  ISO/IEC 
20000-1  ITSMS  requirements  which  could  be  deployed  on  each  of  the 
ISO  9001  QMS  established  in  the  organization.  In  addition,  the  compa¬ 
nies  were  able  to  observe  that  there  existed  other  ITSMS  requirements 
not  covered  so  far  that  could  be  easily  deployed  on  the  existent  QMS. 

Case  C  applied  the  guide  to  initiate  the  simultaneous  implementa¬ 
tion  of  both  ISO/IEC  20000-1  and  ISO  9001  management  systems.  As 
the  quality  responsible  was  not  familiar  with  the  terms  and  definitions 
used  by  both  standards,  we  supported  the  company  to  interpret  all  con¬ 
fusing  issues,  to  take  agreed  solutions  and  adopt  them  at  all  organiza¬ 
tional  levels.  Case  C  will  soon  be  formally  audited  to  get  the  ISO/IEC 
20000-1  certification. 

Table  1 1  summarizes  the  answers  collected  in  the  case  organizations 
as  reported  in  the  interviews.  In  the  first  column  the  table  lists  the 
requirements  of  both  ISO  9001  and  ISO/IEC  20000-1  management 


Table  11 

Summary  of  the  results  obtained  from  the  interviewed  organizations. 


Case  Requirements  of  both  ISO  9001  and  ISO/IEC  20000-1 
management  systems  most  easily  integrated 
A  Documentation  management 

Monitoring,  measurement  and  internal  audits 
Human  resources  competence,  training  and 
awareness 

The  definition  of  corrective  and  preventive  actions 
B  Documentation  management 

Monitoring,  measurement  and  internal  audits 
Management  responsibility  and  commitment 


D  Documentation  management 

Human  resources  competence,  training  and 
awareness 

Provision  of  resources 
E  Documentation  management 

Monitoring,  measurement  and  internal  audits 
Management  responsibility  and  commitment 


Major  advantages  of  integration 


Impact  of  the  IMS  on  IT  service  quality 


Increased  efficiency 

Better  matching  stakeholder  interests 


Customer  satisfaction 
IT  service  quality/stability 
Certification  of  the  organization 


Standardization 

Minimizing  problems  with  communication  between  different 


Possibility  to  link  quality  related  and  IT  service  management 
related  aspects  with  ethics  and  organizational  profitability 

Effective  support  of  processes 
Efficient  monitoring  of  stakeholder  aspects 


Consolidation  of  the  PDCA  approach 
Integrated  audits 

Common  documentation  system  with  common  structure  of  routines 


Customer  satisfaction 

Better  alignment  of  people  and 

information 

Certification  of  the  organization 

Customer  satisfaction 

Facilitation  of  growth  of  the  organization 

Certification  of  the  organization 

Customer  satisfaction 

IT  service  quality/stability 

Better  alignment  of  people  and 

information 

Customer  satisfaction 

Reduction  in  the  number  of  incidents 
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systems  that  can  be  integrated  in  a  greater  way.  From  the  feedback  re¬ 
ceived  it  was  deduced  that  the  most  easily  integrable  requirements 
were  those  related  to  documentation  management  (A,  B,  D,  E);  moni¬ 
toring,  measurement  and  internal  audits  ( A,  B,  E) ;  management  respon¬ 
sibility  and  commitment  (B,  E)  and  human  resources  competence, 
training  and  awareness  (A,  D).  Case  D  pointed  out  that  the  new  IMS 
facilitated  the  process  for  providing  resources  and  Case  A  stated  that 
the  integration  had  helped  to  define  corrective  and  preventive  actions 
applicable  to  the  entire  service  life  cycle. 

From  the  second  column  of  Table  1 1,  we  see  that  the  major  advan¬ 
tages  of  the  IMS  collected  in  the  case  organizations  span  different  areas 
of  organizational  management.  Three  organizations  (B,  D,  E)  considered 
process  improvement  as  one  of  the  strengths  of  the  integration  initiative, 
by  the  establishment  of  a  set  of  managed  and  repeatable  procedures  and 
a  common  documentation  system.  Another  benefit  obtained  was  the  def¬ 
inition  of  a  useful  system  to  engage,  get  the  commitment  and  keep  satis¬ 
fied  all  the  stakeholder  interests  (A,  B,  D).  Cases  A  and  C  affirmed  that  the 
organizational  efficiency  and  profitability  had  notably  increased  and  the 
use  of  resources  had  gradually  improved  tending  to  optimal.  Case  E  also 
points  out  that,  from  now  on,  the  integrated  audits  will  cover  both  ISO 
9001  and  ISO/1EC  20000-1  requirements. 

The  right- most  column  of  Table  11  aims  to  identify  information  on 
the  impact  of  the  integration  initiative  on  IT  service  quality  in  the 
interviewed  organizations.  When  asked  how  the  new  IMS  impacted 
the  various  areas  of  IT  service  quality,  the  interviewees  uniformly 
responded  that  the  customers  were  more  satisfied.  Other  aspects  affected 
were  the  stability  and  quality  of  services  and  reduction  in  the  number  of 
incidents  (A,  D,  E),  the  facilitation  of  growth  and  certification  of  the  orga¬ 
nization  (A,  B,  C)  and  better  alignment  of  people  and  information  (B,  D). 

6.3.  Lessons  learned 

Regarding  the  remarks  related  to  the  application  of  the  guide  to 
support  the  implementation  of  the  integrated  ITSMS  in  the  five  service 
companies,  we  could  point  out  that: 

•  These  companies  were  unaware  of  the  similarity  between  the  structure 
and  the  certification  process  of  both  ISO  9001  and  ISO/IEC  20000-1 
standards.  Some  employees  knew  ITIL  but  above  all,  they  knew  the  ex¬ 
istence  of  its  professional  certifications.  The  ISO/IEC  20000-1  standard 
seemed  very  complex  and  out  of  reach  to  them.  These  companies 
required  external  intervention  and  consultancy  to  support  process  de¬ 
velopment  and  improvement,  issues  that  they  generally  unknown  and 
considered  utopian  and  distant. 

•  These  companies  were  fully  devoted  to  their  productive  work  and  to 
solve  their  day-to-day  problems.  They  are  often  unable  and  unwilling 
to  devote  time  and  efforts  to  define  and  deploy  new  processes  or  assets. 
Some  of  these  companies  do  not  have  a  quality  department,  unlike 
larger  organizations,  which  is  dedicated  to  these  tasks.  In  small  organi¬ 
zations,  personnel  are  more  oriented  to  service  provision  or  manage¬ 
ment  instead  of  establishing  new  working  practices. 

•  Service  companies  not  only  need  to  know  what  to  do  in  order  to 
improve  their  services,  but  also  they  need  to  have  specific  procedures 
describing  in  detail  the  work  they  have  to  perform,  with  a  clear  set  of 
best  practices  and  a  set  of  assets  that  will  help  to  carry  them  out.  These 
procedures  should  be  simple  and  applicable  to  the  types  of  services 
that  they  normally  provide. 

The  valuation  of  this  initiative  is  totally  positive.  As  key  strengths  for 
its  success  it  is  worth  highlighting: 

•  The  active  participation,  motivation  and  consciousness  of  all  the 
participant  companies.  A  representative  in  each  company  (the  IT 
manager)  was  selected  to  channel  the  needs  and  requirements  of 
his/her  company  and  raise  them  to  the  periodical  monitoring  meetings. 

•  The  willingness  to  share  the  knowledge  with  the  authors  of  the  guide. 
The  comments  and  experience  gathered  from  the  guide  application  in 


these  companies  have  been  very  useful  to  revise  some  sections  in 
order  to  improve  the  readability  and  comprehension  of  all  the  proposed 
actions. 

•  The  establishment  of  a  detailed  plan  and  its  compliance  with  only  some 
slight  deviations.  A  very  clear  schedule  with  periodical  monitoring  in 
each  participant  company  was  defined.  Without  these  reviews  for  the 
team  to  understand  the  next  improvement  actions  to  take,  the  cost  of 
the  implementation  of  the  ISO/IEC  20000-1  standard  would  have 
been  much  higher. 

•  The  selection  of  a  collaborative  work  tool  (Trello)  to  support  the  com¬ 
munication  and  file-sharing  between  all  the  representatives  and  the 
authors  of  the  guide. 

7.  Conclusions  and  future  work 

This  paper  has  presented  the  research  performed  to  integrate  the  IT 
service  management  requirements  into  the  quality  management  system 
of  a  service  organization.  After  a  systematic  literature  review  of  the  all 
existing  initiatives  to  integrate  the  ITSMS  with  the  ISO  9001  QMS,  and 
after  a  thorough  analysis  of  all  the  relations  between  the  requirements 
of  the  ISO/IEC  20000-1  and  ISO  9001  management  systems,  the  major 
contribution  of  the  work  is  a  guide  to  support  the  implementation  of  an 
IMS  bringing  together  the  requirements  of  both  IT  service  and  quality 
management  systems.  As  it  has  been  proved,  because  the  ISO  9001 
QMS  and  the  ISO/IEC  20000-1  ITSMS  follow  a  process  approach  and  are 
based  on  the  PDCA  cycle,  both  management  systems  can  be,  after  some 
efforts,  connected  and  integrated. 

The  objective  of  this  paper  has  been  achieved:  the  demand  of  orga¬ 
nizations  for  guidelines  to  support  the  integrated  establishment  of  an 
ITSMS  with  the  ISO  9001  QMS  has  been  satisfied  thanks  to  the  guide 
developed  during  this  research;  and  its  validity  has  been  evaluated  in 
industry.  This  guide  can  be  useful  for  IT  service  provider  organizations 
to  facilitate  compatibility  between  management  systems,  goal  alignment, 
ease  in  decision-malting  and  the  reduction  of  the  resources  required  for 
their  implementation,  management  and  maintenance.  While  the  first 
time  an  organization  adopts  a  standard  it  has  to  make  important  efforts 
to  follow  all  the  requirements  it  defines,  from  the  implementation  of 
the  second  standard  onwards,  the  company  can  take  big  advantage  of 
all  the  previous  efforts  made,  the  lessons  learned  and  the  good  practices 
deployed  before. 

The  valuation  of  the  application  of  the  guide  in  different  service 
companies  in  our  country  is  totally  positive.  The  applicability  of  the 
guide  in  organizations  from  different  sectors  has  been  proved.  From 
the  feedback  we  have  received  from  management,  it  seems  that  organi¬ 
zations  are  willing  to  bet  on  management  system  integration.  Flowever, 
they  have  traditionally  found  difficulties  to  achieve  this  goal,  due  to  the 
lack  of  clear  guidelines  that  support  the  integration  of  management 
systems.  The  main  benefits  the  companies  have  raised  from  the  guide 
application  are:  significant  cost  savings,  increase  of  flexibility,  efficiency 
and  coherence. 

This  study  has  its  limitations.  Although  the  five  cases  were  diverse, 
selecting  cases  from  more  different  industries  will  provide  stronger 
support  for  the  definition  of  specific  recommendations  included  in  the 
guide.  Further  work  is  expected  to  be  performed  in  order  to  improve 
the  developed  guide  by  considering  the  lessons  learned  from  its  appli¬ 
cation  in  more  companies.  To  date,  the  guide  has  been  refined  based 
on  the  evaluation  suggesting  additional  clarifications  on  the  terms 
used  by  the  standards  that  integrates.  Future  actions  already  planned 
include  the  development  of  new  assets  to  support  the  application  of 
the  guide,  the  changes  in  some  of  the  existing  ones  and  the  addition 
of  some  new  good  practices  to  certain  processes  and  requirements. 

Furthermore,  the  authors  plan  to  continue  the  research  to  under¬ 
stand  the  benefits  and  feasibility  to  widen  the  scope  of  the  provided 
IMS  in  order  to  align  it  with  ISO/IEC  27001  and  COBIT  5.  The  main  goal 
of  this  next  iteration  is  to  analyze  the  relations  between  the  IMS  and 
the  information  security  management  requirements  of  the  ISO/IEC 
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27001  standard  and  the  best  practices  for  the  governance  and  manage¬ 
ment  of  enterprise  IT  defined  by  COBH.  As  these  two  frameworks  follow 
a  process  approach  and  are  also  based  on  the  PDCA  cycle,  we  intuitively 
think  that  the  creation  of  synergies  between  the  management  systems 
they  define  and  the  integration  of  their  organizational  policies  and  oper¬ 
ational  controls  is  very  viable. 
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